Data Breach Policy

1. Introduction

The Alliance collects, holds, processes, and shares personal data, a valuable asset that needs to be suitably

Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise

Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non- compliance, and/or financial

2. Purpose and Scope

The Alliance is obliged under Data Protection legislation1 to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of

This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the The Alliance

This policy relates to all personal and special categories (sensitive) data held by The Alliance regardless of

This policy applies to all staff and student interns at the The Alliance This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the The Alliance

The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further

3. Definitions / Types of breach

For the purpose of this policy, data security breaches include both confirmed and suspected incidents.

An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the The Alliance’s information assets and / or reputation.

An incident includes but is not restricted to, the following:

loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record);

equipment theft or failure;

system failure;

1 The General Data Protection Regulation (GDPR) and related EU and national legislation

unauthorised use of, access to or modification of data or information systems;

attempts (failed or successful) to gain unauthorised access to information or IT system(s);

unauthorised disclosure of sensitive / confidential data;

website defacement;

hacking attack;

unforeseen circumstances such as a fire or flood;

human error;

‘blagging’ offences where information is obtained by deceiving the organisation who holds it.

4. Reporting an incident

Any individual who accesses, uses or manages the The Alliance’s information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer (at [email protected]) and IT Services (at[email protected]).

If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is

The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process (refer to Appendix 1).

All staff should be aware that any breach of Data Protection legislation may result in the The Alliance’s Disciplinary Procedures being

5. Containment and recovery

The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the

An initial assessment will be made by the DPO in liaison with relevant officer(s) to establish the severity of the breach and who will take the lead investigating the breach, as the Lead Investigation Officer (this will depend on the nature of the breach; in some cases, it could be the DPO).

The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could

The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where

Advice from experts across The Alliance may be sought in resolving the incident

The LIO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the

6. Investigation and risk assessment

An investigation will be undertaken by the LIO immediately and wherever possible, within 24 hours of the breach being discovered /

The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to

The investigation will need to take into account the following:

the type of data involved;

its sensitivity;

the protections are in place (e.g. encryptions);

what has happened to the data (e.g. has it been lost or stolen;

whether the data could be put to any illegal or inappropriate use;

data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s);

whether there are wider consequences to the

7. Notification

The LIO and / or the DPO, in consultation with relevant colleagues will establish whether the Information Commissioner’s Office will need to be notified of the breach, and if so, notify them within 72 hours of becoming aware of the breach, where

Every incident will be assessed on a case by case basis; however, the following will need to be considered:

whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation2;

whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?);

whether notification would help prevent the unauthorised or unlawful use of personal data;

whether there are any legal / contractual notification requirements;

the dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and

Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. Notification will include a description of how and when the breach occurred, and the data involved. Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact The Alliance for further information or to ask questions on what has

The LIO and / or the DPO must consider notifying third parties such as the police, insurers, banks or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

The LIO and or the DPO will consider whether the Communications Team should be informed regarding a press release and to be ready to handle any incoming press

A record will be kept of any personal data breach, regardless of whether notification was

8 Evaluation and response

Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be

Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents

implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of

If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by The Alliance Executive Committee.

9. Policy Review

This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant

This policy was last reviewed in May 2018. The policy was approved by The Alliance Executive Committee in May

APPENDIX 1

DATA BREACH REPORT FORM

Please act promptly to report any data breaches. If you discover a data breach, please notify your Head of Department immediately, complete Section 1 of this form and email it to the Data Protection Officer ([email protected]) and IT Helpdesk ([email protected]) where appropriate

• Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as National Insurance Number and copies of

passports and visas;

• Personal information relating to vulnerable adults and children;

• Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;

• Spreadsheets of marks or grades obtained by student interns, information about individual cases of student discipline or sensitive negotiations which

could adversely affect individuals.

• Security information that would compromise the safety of individuals if disclosed.

Data Protection Officer and/or Lead Investigation

Officer to consider whether it should be escalated to the appropriate The Alliance Executive Committee member

Section 3: Action taken

To be completed by Data Protection Officer and/or

Lead Investigation Officer

Incident number

e.g. year/001

Report received by:

On (date):

Action taken by responsible officer/s:

Was incident reported to Police?

Yes/No

If YES, notified on (date):

Follow up action required/recommended:

Reported to Data Protection Officer and Lead

Officer on (date):

Reported to other internal stakeholders (details, dates):

For use of Data Protection Officer and/or Lead Officer:

Notification to ICO

YES/NO If YES, notified on: Details:

Notification to data subjects

YES/NO If YES, notified on: Details:

Notification to other external, regulator/stakeholder

YES/NO If YES, notified on: Details:

Updated 11-13-2018

OUR FAMILY HELPING YOURS!
Life happens, unexpectedly. Most often involving unforeseen expenses ... but there are also planned debts such as student loans. The truth is however, 60% of Americans currently can not cover a single unscheduled financial expense. If this is you or someone you know, it doesn’t have to be. The role of a smart insurance and wealth management strategy is all about safeguarding you and loved ones from unnecessary loss and uncertainty.